EXECUTIVE SUMMARY: Software-as-a-Service platforms and their clients face an insidious type of phishing-based threat. Organizations that fail to get ahead of it can experience lasting consequences.

What’s Happening

SaaS companies regularly send out email-based communications, such as payment requests and invoices. As everyone knows, this is a normal part of business. Clients expect these communications and are accustomed to getting in-touch, as needed, to settle accounts.

In the past two weeks, Check Point researchers have seen nearly 2,500 of these types of emails, the majority of which impersonated xero.com and mycase.com services.

However, cyber criminals are exploiting the vendor-client relationship by cloning the appearance of these requests (email spoofing), and populating the templates with fake contact details.

Recipients of these spoofed emails are instructed to respond to the message using what are, unbeknownst to them, contact details that directly connect them with cyber criminals.

In some cases, the cyber criminals only include their contact details within attachments. This renders attack identification more challenging, as the contact details are not immediately visible.

Template populated with fake contact details. Image courtesy of Check Point Research.The Danger

Once cyber criminals have lured someone into speaking or otherwise connecting with them, they also frequently manage to lure the victim into divulging credentials.

These credentials may provide account access that can be used to gather valuable information, which can be sold on the dark web for a profit or weaponized to exploit other organizations.

Because cyber criminals are impersonating legitimate SaaS companies in these attacks, meaning that the emails come across as authentic, email security systems frequently fail to detect them.

While SaaS-based phishing threats are often overlooked in favor of more interesting or “buzzworthy” phishing threats, organizations need to take these threats seriously.

For SaaS Organizations

SaaS providers need to remain aware of the potential for SaaS email spoofing. These types of attacks can lead to reputational damage and loss of client trust.

For SaaS Clients

For organizations that leverage SaaS-based services, especially those from Xero and mycase, there are a variety of measures that can be applied to address these threats. For instance, organizations may wish to:

  • Educate employees around the need to confirm vendor details. Employees should be taught to confirm vendor details by typing the vendor’s URL into a search engine and obtaining information from the vendor’s website or by reviewing an internal database.
  • Maintain a secure, internal database of verified vendor contact details. To keep this database secure, require multiple approvals prior to allowing updates.
  • For critical vendors or high-risk changes, require verification through several channels ahead of accepting new contact information (ex. email, phone and video call).
  • Enhance email security by implementing advanced threat prevention solutions.
  • Consider advanced threat protection solutions that use AI to detect sophisticated phishing attempts.
  • Invest in cyber insurance to mitigate financial losses from successful phishing attacks. That said, note that insurers are increasingly requiring robust anti-phishing measures as a prerequisite for coverage.

Further Thoughts

As organizations increase their reliance on Software-as-a-Service applications, and as cyber criminals start to implement machine learning to create convincing spoofed emails, the number of phishing incidents is likely to rise.

Spoofing incidents are already soaring, as noted at the beginning of the article, with 2,500 emails impersonating just a small handful of companies in the last two weeks alone.

Avoid potential damage, financial penalties, and legal consequences. For more information about how Avanan can help secure your organization, visit our website or contact our security experts for a personalized consultation.